[jszymborski]

It looks like a mitigation might be that in the event you do not have the application installed, to return a "denied" status and send a prompt to the user like "Unknown application protocol".

Something like that could still would be susceptible to a timing attack though.

[Haemm0r]

always show the popup, but populate it "later" could work too.

[dathinab]

Yes I believe the proper fix would be to always behave as if a popup is showing, independent of weather or not it actually shows.

Through it's maybe slightly more complex as you might need to behave as if the user clicked cancel in a way where a attacker can not easily differentiate it from an actual user clicking cancel.